[anti-abuse-wg] 2019-03 New Policy Proposal (BGP Hijacking is a RIPE Policy Violation)

On Wed, Mar 20, 2019 at 10:41:00PM +0000, Carlos Friaas wrote:
>>there has been a trend in recent years to make RIPE policy that
>>transforms the NCC from a resource registry into a political
>>agency to monitor and prescribe the behaviour of the internet industry
>
>Do you actually have any reference about that?

Read the address-policy and particularly the aawg archives. There
have been a number of proposals such as the Europol one and the
endless saga of the abuse-c: verification... 

>>in the  RIPE Service Region by weaponising the NCC
>>Service Agreement.
>
>Isn't that a contract? If a party breaches a contract, isn't it normal 
>for the other party to terminate it?

Not for the RIPE NCC. The NCC aims to restore compliance with the
SSA and not to punish the member unless as a last resort.

>>This I consider harmful to the standing of
>>the RIPE NCC as an impartial, non-political resource registry.
>
>What i consider harmful is abuse against the RIPE NCC and the RIPE NCC 
>Membership at large.

Please state exactly how advertising someone else's resources
constitutes "abuse against the RIPE NCC" unless the offender also
registers wrong data in the ripedb.

>The RIPE NCC has proven several times it is impartial, and it is not 
>influenced by political or geo-political events/constraints. The RIPE 
>NCC acts according to Dutch court orders, as is supposed. Do you have 
>any evidence that the RIPE NCC has acted beyond Dutch court orders? I 
>don't.

I have not claimed that it has.
>
>
>
>>The major point, even if you accept that the NCC has a mandate to
>>act as a regulatory authority
>
>If it has, please point me out to where i can find it in writing.
>The NCC is a Regional Internet Registry. Its purpose (as i see it) is 
>to distribute Internet resources. So, if it distributes resource X to 
>party Y, then if party Z takes over the resource without party Y's 
>consent, the whole concept and purpose of having a registry is broken.

No. The purpose of a registry is to keep a *register* of data (in
this case, resources). This aids members and others in finding
out who the rightful "owner" of a resource is. 
The Land Registry records who owns a bit of land, it does not
enforce who can live on it. If someone takes over someone else's
land, the *courts* deal with it.

>>- which I want to state
>>unequivocally here that I do NOT - against this proposal is that
>>it is ineffective and a waste of time and membership funding:
>
>So you already have the Impact Analysis done two days after the 
>discussion phase has started? But isn't the role of the NCC to perform 
>such I.A.?

I'm stating an oinion on the proposal which I am entitled to do.
>
>
>>1. The procedures for policy violations in the RIPE NCC are
>>restorative rather than retributive.
>
>I agree with this. The proposal aims to restore "normality", where 
>only a legitimate holder is able to use/announce the resource. :-)
>Just out of curiosity, this restorative vs. retributive is written 
>exactly where?

In the SSA. The SSA describes exactly what happens in case of
policy violations and it is crystal clear that these steps are
intended to rectify the situation rather than to punish the
offender after the fact.
 
>>If the NCC determines that a policy violation has occurred,
>
>This proposal suggests clearly it is NOT the NCC who is determining if 
>a policy violation has occurred.

Pretty sure it is the NCC only who can determine that. Others may
state opinions as to whether or not something is a policy
violation but it's the NCC's *job* to make that determination.

>>the "offender" is given an
>>opportunity to rectify the situation, if they do so the case is
>>closed. Only if the "offender" refuses to cooperate or is not
>>contactable is any further action taken.
>
>So, where exactly do you see in the suggested process, the lack of 
>opportunity (or opportunities) for the presumed "offender" to 
>cooperate?

Not my claim. I was paraphrasing the terms of the SSA

>>2. "Resource hijacks" are transient in nature. They persist,
>>generally, only until the "offender's" neighbours take action.
>>Yet, 2019-03 proposes a long, convoluted, costly process involving
>>"experts", reports, appeals and the NCC Board.

>From what i read from you, a speedy process will be undesirable, but a 
>process with all the checks & balances will also be undesirable. 
>Understood.

A due process is ineffective as the hijack will be long over by
the time anyone makes a determination.

A speedy process (terminate the member on some expert's say-so?)
is unacceptable (I hope, the membership may feel suicidal).

So, the proposal makes no sense either way.

>>By the time this
>>process has run its course, the "resource hijack" in question
>>will have long faded from memory. So the end result of this
>>proposed process is that the "offender" gets a report which it
>>will, in all likelihood, consign to the round archive (ie the
>>recycling bin).
>
>I'm confused. So you think a fast track process will better serve the 
>community's interests?

see above.



>>3. The time of the NCC staff and the Board will have been wasted. So

>Which time of the NCC staff? Just drawing which expert will be 
>associated with Case#N? I suggest letting an algorithm work :-) The 
>NCC staff doesn't need to be involved, really.
>The Board's time -- why not let them think about it? (i.e. the impact 
>analysis?)

Again, I'm stating an opinion on the process, I do not propose to
prevent the Board from thinking about it.

>>will have NCC funding which we, as the Membership have to
>>provide. The "experts" will in all likelihood not work for free
>>either, indeed a cynic could argue that the main effect of this
>>proposal is to let some "experts" dip their beak into NCC funds.
>
>So, if a set of people agrees do this on a voluntary basis, you would 
>consider to support the idea?

If so, I'll concede *this* point, it won't make me support this
proposal.

>>4. I want to forestall the inevitable argument here that "we can
>>make policy to have those evildoers thrown out of the NCC
>>later!". No, you can't. The SSA and its contents are solely the
>>domain of the NCC Membership
>
>My employer is also part of the NCC Membership. I wouldn't mind 
>discussing this during an AGM, if the Board allows it.

I suspect at some point in time it will come to this. Not least
because the membership will have to vote on any changes to the
SSA.

>"activist randomers on a mailing list", just for sake of clarity, is 
>aimed only at the two co-authors, or also at other people which have 
>already expressed support for the idea/proposal? :-))

It is a somewhat jesting term for the RIPE community in general.
Because at the end of the day, that's what it is. Some email
accounts on a list. Some people I know, most I don't, some use
pseudonyms, others I suspect of being sockpuppets for the same
person... Generally not a forum I would want to make decisions on
punishment for the fee-paying members.
But that is a discussion for another day.

rgds,
Sascha Luck